AndersM¨ortberg FormalizingReﬁnementsandConstructiveAlgebrainTypeTheory T hesisforthe D egreeof D octorof P hilosophy

(1)

Thesis for the Degree of Doctor of Philosophy

Formalizing Refinements and

Constructive Algebra in Type Theory

Anders M ¨ortberg

Department of Computer Science and Engineering

Chalmers University of Technology and University of Gothenburg SE-412 96 Gothenburg, Sweden

Gothenburg, 2014

(2)

ISBN 978-91-982237-0-5

Department of Computer Science and Engineering Programming Logic Research Group

Department of Computer Science and Engineering

Chalmers University of Technology and University of Gothenburg SE-412 96 Gothenburg, Sweden

Printed at Chalmers Reproservice Gothenburg, Sweden 2014

(3)

Abstract

The extensive use of computers in mathematics and engineering has led to an increased demand for reliability in the implementation of algorithms in computer algebra systems. One way to increase the reliability is to formally verify that the implementations satisfy the mathematical theorems stating their specification. By implementing and specifying algorithms from computer algebra inside a proof assistant both the reliability of the implementation and the computational capabilities of the proof assistant can be increased.

This first part of the thesis presents a framework, developed in the interactive theorem prover Coq, for conveniently implementing and reasoning about program and data refinements. In this framework programs defined on rich dependent types suitable for proofs are linked to optimized implementations on simple types suitable for computation.

The correctness of the optimized algorithms is established on the proof- oriented types and then automatically transported to the computation- oriented types. This method has been applied to develop a library containing multiple algorithms from computational algebra, including:

Karatsuba’s polynomial multiplication, Strassen’s matrix multiplication and the Sasaki-Murao algorithm for computing the characteristic polynomial of matrices over commutative rings.

The second part of the thesis presents the formalization of notions from constructive algebra. Focus is on the theory of coherent and strongly discrete rings, which provides a general setting for developing linear algebra over rings instead of fields. Examples of such rings include B´ezout domains, Pr ¨ufer domains and elementary divisor rings.

Finitely presented modules over these rings are implemented using an abstraction layer on top of matrices. This enables us to constructively prove that the category of these modules form a suitable setting for developing homological algebra. We further show that any finitely presented module over an elementary divisor ring can be decomposed to a direct sum of a free module and cyclic modules in a unique way. This decomposition gives a decision procedure for testing if two finitely presented modules are isomorphic.

(4)

(5)

List of publications

This thesis is based on the work contained in the following papers:

1. A Refinement-Based Approach to Computational Algebra in Coq.

Maxime Dénès, Anders M örtberg and Vincent Siles. In Interactive Theorem Proving, volume 7406 of Lectures Notes in Computer Science, pages 83–98. Springer, 2012.

2. Refinements for free!. Cyril Cohen, Maxime Dénès and Anders M örtberg. In Certified Programs and Proofs, volume 8307 of Lecture Notes in Computer Science, pages 147–162. Springer, 2013.

3. A Formal Proof of Sasaki-Murao Algorithm. Thierry Coquand, An- ders M ¨ortberg and Vincent Siles. Journal of Formalized Reasoning, 5 (1):27–36, 2012.

4. Coherent and Strongly Discrete Rings in Type Theory. Thierry Co- quand, Anders M ¨ortberg and Vincent Siles. In Certified Programs and Proofs, volume 7679 of Lecture Notes in Computer Science, pages 273–288. Springer, 2012.

5. A Coq Formalization of Finitely Presented Modules. Cyril Cohen and Anders M ¨ortberg. In Interactive Theorem Proving, volume 8558 of Lecture Notes in Computer Science, pages 193–208. Springer, 2014.

6. Formalized Linear Algebra over Elementary Divisor Rings in Coq.

Guillaume Cano, Cyril Cohen, Maxime Dénès, Anders M örtberg and Vincent Siles. Preprint, 2014.

The following papers are related but not included in the thesis:

Towards a Certified Computation of Homology Groups for Digi- tal Images. J ónathan Heras, Maxime Dénès, Gadea Mata, Anders M örtberg, Mar´ıa Poza and Vincent Siles. In Computational Topology in Image Context, volume 7309 of Lecture Notes In Computer Science, pages 49–57. Springer, 2012.

(6)

Transactions on Computational Logic, 14(4):1–26, 2013.

Statement of contribution

The authors’ contributions to each of the papers included in the thesis are:

1. Implementation of list based polynomials and the algebraic hierarchy of computational structures. Wrote the sections on these and participated in writing the other sections.

2. Collaborated on developing the library and designing the methodology. Implemented the theory on sparse polynomials. Writing was distributed evenly among the authors.

3. Mainly contributed to the formalization of the correctness proof and the implementation of the efficient version of the algorithm.

4. Contributed to all parts, both formalization and writing. Imple- mented the executable versions and correctness proof of the algorithms and structures.

5. Collaborated on the formalization and wrote most parts of the paper.

6. Contributed to all parts of the formalization, in particular to the theory of rings with explicit divisibility, the proof that elementary divisor rings are coherent and the development on the Kaplansky condition. Wrote parts of most sections of the paper.

(7)

Acknowledgments

First of all I would like to thank my supervisor Thierry Coquand for the support and guidance that has made it possible for me to finish this thesis. I am also grateful to my co-supervisor Cyril Cohen, who together with Vincent Siles taught me Coq and SSReflect.

Most of my time as a PhD student has been spent in an office shared with Bassel Mannaa, Guilhem Moulin and Simon Huber who have contributed to my work not only by discussions about research but also by being great friends. I would like to thank everyone I have written papers with, the members of my follow up group, my colleagues in the ForMath project and in the Programming Logic group at Chalmers. I am also grateful to everyone else at the Department of Computer Sci- ence and Engineering for making my time here so enjoyable.

I would like to thank Anjelica Hammersj ¨o for her patience and en- couragement, and my family for always being helpful and supportive.

A special thanks to my cats for not being supportive at all, sitting on my keyboard and forcing me to take breaks sometimes.

The comments from Andrea Vezzosi, Anjelica Hammersj ¨o, Bassel Mannaa and Cyril Cohen on earlier versions of this thesis have been very helpful. The answers from Ramona Enache to my numerous ques- tions about practical issues have made my life much easier and our walks around Guldheden have been lots of fun. I would also like to thank all of the friends that I have made in Gothenburg. Especially the three friends I met on my first day as an undergraduate student at Chalmers nine years ago: Daniel Gustafsson, Pontus Lindstr ¨om and Ulf Liljengren. Thanks to all of you I have learned so many things and had lots of fun during all these years!

The research leading to these results has received funding from the European Union’s 7th Framework Programme under grant agreement nr. 243847 (ForMath).

(12)

(13)

Introduction

Computers are playing an increasingly important role in modern mathematics. Computer algebra systems like Matlab and Mathematica are fundamental tools in engineering, scientific computation and also to some extent in pure mathematics. It is important that these systems are correct – but this is not always the case [Dur´an et al., 2014]. For instance, Matlab had a bug in 2009 that made it compute an incorrect solution to a very simple system of equations [Walking Randomly, 2009]. This is problematic as equation solving is one of the most fundamental operations in Matlab on which more complex operations are based.

Many people can relate to the frustration caused by software that is not working correctly. Faulty software can also have more serious consequences: It could cost a lot of money or – even worse – human lives. Famous examples include the Pentium FDIV bug [Cipra, 1995]

that costed Intel about $475 million [Nicely, 2011] and in 1991 when a U.S. Patriot missile defense system in Saudi Arabia failed to detect an attack because of a miscalculation due to rounding errors which led to the death of 28 soldiers [Marshall, 1992].

This thesis uses techniques from software verification to facilitate the implementation of formally verified programs and mathematical theories in type theory, more precisely in the Coq proof assistant [Coq Development Team, 2012]. A potential use of this is to increase the reliability in computer algebra systems and software used in safety critical applications, reducing the risk for problems like those mentioned above.

1 Software verification

The standard approach for increasing the reliability in software is test- ing. This usually means that the programmer writes tests and collects them in a test-suite, or that a user tests the system and reports any errors found. However, these two approaches are both problematic since bugs are often found in corner-cases that are hard to find and for which

(14)

it is difficult to write good tests. Because of this, bugs might be found too late.

Another approach is to use a tool designed for randomized testing like QuickCheck [Claessen and Hughes, 2000]. This means that the programmer writes a logical specification of the program and the tool generates random input to test the specification with. This has the benefit that the programmer is relieved of the tedious task of producing test-suites and that the specification of the program has to be taken into consideration when writing it.

However, regardless of its usefulness, testing has a fundamental lim- itation as pointed out by Dijkstra:

“Program testing can be used to show the presence of bugs, but never to show their absence!” [Dijkstra, 1970]

So the question is: how can one show the absence of bugs?

The answer to this is proofs, that is, by a convincing argument that the program satisfies its specification. There are many ways to prove the correctness of a program. The traditional method is to write the proof by hand. This has the benefit that the proof can be read and verified by another person, however there might be subtle errors that are hard to spot and corner-cases could be overlooked. An alternative approach, that aims at overcoming these issues, is to use computers for both finding and verifying proofs. However, even though one has proved that the underlying algorithm is correct one can still make mistakes when implementing it. The correctness proof should hence be about the ac- tual implementation of the program and not only about the underlying algorithm.

A prerequisite to both testing and proving is that the program has been clearly specified. However, specifying a program and then proving that it satisfies the specification might not be enough to guarantee that the program is correct. Donald E. Knuth put it nicely in the end of one of his letters:

“Beware of bugs in the above code; I have only proved it correct, not tried it.” [Knuth, 1977]

A reason could be that there are errors in the specification. This kind of errors can stem from an incorrect understanding of what the program is supposed to be doing [Claessen and Hughes, 2000], or from the difficulty of specifying general purpose programs. For mathematical software the situation is slightly better. The reason for this is that a mathematical algorithm usually has a clear specification in terms of a mathematical theorem stating what is required of the input and ex- pected by the output.

(15)

1. Software verification

In order to make it easier to correctly specify programs it is impor- tant to write them in a suitable programming language. In the func- tional programmingparadigm functions are first-class objects, that is, they can be passed as arguments to other functions or be returned by functions. This makes it possible for the programmer to find good abstractions and write short general programs. The restricted use of side- effects also makes functional programming well-suited for verification.

When a function has no side-effects, it is much easier to specify what it is supposed to be doing because of referential transparency [Strachey, 2000].

One approach that is used a lot in industry to prove the correctness of complex hardware designs and for verifying concurrent and distributed software is model checking. This involves constructing a model of a system and then checking that a property is satisfied by the model. The properties are usually expressed in a temporal logic and might state safety properties like absence of deadlocks or race conditions. There are many tools for doing this kind of verification, used in both research and industry, like the SPIN model checker [Holzmann, 2004] that received the prestigious ACM Software System Award in 2001 [ACM, 2001].

Another approach to automatic verification is automated theorem provingwhich involves writing programs to automatically prove mathematical theorems expressed in a logical system. Depending on the logical system, the properties of these programs varies. For instance if the underlying logic is propositional logic the problem of satisfiability of formulas (SAT) is decidable, simply by constructing truth-tables. How- ever, as the SAT problem is NP-complete there can only be exponential time algorithms (unless the complexity classes P and NP are the same).

Regardless there are many algorithms and solvers that very efficiently solve many classes of problems, which makes them feasible to use in practice.

In first-order logic, on the other hand, logical entailment is only semidecidable. This means that it is possible to write a program that finds a proof of a formula if it is provable, but if the formula is not provable the program might not terminate. There are many efficient tools that automatically try to prove first-order formulas, an example is the Vampire prover [Kovacs and Voronkov, 2013] that has won more than 30 titles in the “world cup for theorem provers”.

It is also common to consider decision problems for logical formulas with respect to some background theory. This class of problems is called Satisfaction Modulo Theories (SMT). The theories are often expressed using first-order logic and can be axiomatizations of, for example, integers or lists. Attention is usually restricted to decidable theories, like Presburger arithmetic (natural numbers with addition), dense

(16)

linear orders or real-closed fields. This way the correctness of programs that use these theories can be automatically verified using SMT solvers like CVC4 [Barrett et al., 2011] or Microsoft’s Z3 solver [De Moura and Bjørner, 2008].

Fully automatic theorem provers have also been used to prove some interesting conjectures in mathematics. The most famous might be the proof of the Robbins conjecture, stated back in 1933, that asks whether all Robbins algebras are Boolean algebras. This problem has a simple statement, but its solution eluded many famous mathematicians and logicians, including Tarski, for many years. However, in 1996 William McCune found a proof of the conjecture using the automated theorem prover EQP [McCune, 1997].

Fully automated tools have both their pros and cons. On the one hand they are easy to use, but on the other the resulting proofs might be very big and not comprehensible by humans. In February 2014 fields medalist Timothy Gowers wrote on his blog [Gowers’s Weblog, 2014]

that a paper had appeared on the arXiv with an interesting result about the Erdos discrepancy problem. In the paper a certain bound is proved to be the best possible and interestingly the proof of this was found using a SAT solver. But the authors say in the paper that:

“The negative witness, that is, the DRUP unsatisfiability certificate, is probably one of longest proofs of a non-trivial mathematical result ever produced. Its gigantic size is comparable, for example, with the size of the whole Wikipedia, so one may have doubts about to which degree this can be accepted as a proof of a mathematical statement.” [Konev and Lisitsa, 2014]

A possible solution to increase the reliability in this kind of results is to implement a checker for verifying the certificate. However, this will rely on the correctness of the checker, so ideally this should also be verified. A possible approach for doing this is to develop it using an interactive theorem prover.

In interactive theorem proving a human writes a proof in some formal language that can be understood by a computer program, which then checks the correctness of the proof by verifying each deductive step. This is a more modest approach than fully automatic proving as checking the correctness of a proof is easier than actually finding it.

The systems used for this kind of theorem proving are called proof assistantsas they assist the user in writing a formal proof that is then verified by the system. This is often done using an interface that dis- plays what is currently known and which goals has to be proved in order to finish the proof. Many proof assistants, like for example Coq, have a so called tactic language for developing proofs. This is a domain specific language in which the user writes tactics that gets executed by

(17)

1. Software verification

the proof assistant and modify the current state of the proof. A tactic could for example apply an inference rule or rewrite some part of the goal using a lemma. Many proof assistants also use automatic techniques, like those mentioned above, in order to help the user discharge easy subgoals. This way formal proofs can be developed interactively by a kind of human-computer collaboration.

Proof assistants date back to the 1960s and the pioneering work of Nicolaas Govert de Bruijn on the Automath system [Nederpelt et al., 1994]. This system was very influential and has inspired many of the modern proof assistants in use today. It was for instance based on a typed lambda calculus and the Curry-Howard correspondence. Since the 1960s many more proof assistants have been developed [Wiedijk, 2006], and in 2013 the Coq proof assistant received the prestigious ACM Software System Award with the motivation:

“Coq has played an influential role in formal methods, programming languages, program verification and formal mathematics. As certification gains importance in academic and industrial arenas, Coq plays a critical role as a primary programming and certification tool.” [ACM, 2013]

This kind of tools have been used in some large-scale formalizations in computer science. One of the most impressive is the formal proof of the seL4 microkernel whose functional correctness was formally verified in 2009 [Klein et al., 2009]. This means that the kernel’s implementation is free of bugs like deadlocks, buffer overflows, arithmetic errors and so on. This work is estimated to have taken about 25-30 person years to be completed and was performed using the Isabelle/HOL proof assistant [Nipkow et al., 2002].

Another impressive formalization effort, led by Xavier Leroy, is the Coq implementation of the optimizing C compiler CompCert [Leroy, 2006]. The compiler produces PowerPC, ARM and x86 assembly code which is guaranteed to do the same thing as the original C code. In 2011 researchers at the University of Utah wrote a program called Csmith that randomly generates C code and then compared the output of different C compilers. They managed to find bugs in state of the art compilers like GCC and LLVM, but CompCert stood out:

“The striking thing about our CompCert results is that the middle- end bugs we found in all other compilers are absent. As of early 2011, the under-development version of CompCert is the only compiler we have tested for which Csmith cannot find wrong-code errors. This is not for lack of trying: we have devoted about six CPU-years to the task.” [Yang et al., 2011]

The completion and success of these large-scale formalizations in- dicates that proof assistants are becoming mature enough to develop

(18)

software that can be used in safety critical systems. However, proof assistants have not only been used to verify impressive results in computer science, but also to formalize many famous theorems in mathematics.

2 Formalization of mathematics

The idea of formalizing mathematics by developing it in a formal system, starting from a basic foundation, is much older than computers.

Back in 1879 Gottlob Frege wrote a book called Begriffsschrift which presented a logical system with quantifiers, and using this formal language he formalized basic arithmetic in the subsequent volume Grundgesetze der Arithmetik. However a few years later, in 1903, Bertrand Russell proved that Frege’s system was inconsistent by pointing out his famous paradox about sets containing themselves. Following this, many new foundational systems for mathematics were developed. Some were based on set theory, like Zermelo and Fraenkel set theory with the axiom of choice (ZFC). Others on the type theory developed by Bertrand Russell and Alfred North Whitehead in order to write Principia Mathematica.

In type theory each mathematical object has a type and paradoxes like the one of Russell are avoided by stratifying the types of types and not letting a type have itself as a type. Today type theories are used as a foundation for many interactive theorem provers.

One class of type theories are those based on Church’s Simple The- ory of Types [Church, 1940], these provide the basis for proof assistants in the HOL family (e.g. HOL4 [Gordon and Melham, 1993;Slind and Norrish, 2008], HOL Light [Harrison, 1996] and Isabelle/HOL [Nip- kow et al., 2002]). These are usually “simple” in the sense that types cannot depend on arbitrary terms. Many important mathematical theorems have been formalized in these systems, for instance the prime number theorem [Avigad et al., 2007; Harrison, 2009] and the Jordan curve theorem [Hales, 2007].

Another class are the intuitionistic type theories which have the aim to be used as a foundations for constructive mathematics. In con- structive mathematics the law of excluded middle and the axiom of choice are not accepted. By avoiding these principles the mathematical theories become inherently computational (see [Bridges and Palm- gren, 2013]) which makes them suitable for implementation on computers [Martin-L ¨of, 1984b].

This class of systems are based on Martin-L¨of type theory [Martin-L ¨of, 1984a] and the Calculus of (Inductive) Constructions [Coquand and Huet, 1986;Coquand and Paulin, 1990] which are dependently typed theories where types can depend on terms. This has the implication that, by the Curry-Howard correspondence, proofs and propositions correspond to

(19)

2. Formalization of mathematics

terms and types. This means that both the programs and their proofs of correctness can be implemented using the same language and logic.

Also, checking the correctness of a proof corresponds to checking that a term has a certain type. This is very appealing as techniques from programming language theory can be used to develop proof assistants for this kind of type theories, for instance, type inference can be used for proof construction. Because of this, there are many implementations of systems based on intuitionistic type theory, both as proof assistants like the Coq system and as general purpose dependently typed programming languages like Agda [Norell, 2007] and Idris [Brady, 2013].

In recent years, many large-scale formalizations of mathematics have been completed. The first of these was the formalization of the four color theorem which states that any planar map can be colored using at most four colors in such a way that no two adjacent colors are the same. The formal proof, using the Coq system, was finished by Georges Gonthier in 2005 [Gonthier, 2005,2008]. In 2012 a team, led by Georges Gonthier and using Coq, completed the formal proof of the Feit-Thompson odd order theorem stating that all finite groups of odd order are solvable [Gonthier et al., 2013]. In 2014 it was announced that the FlySpeck project, led by Thomas Hales, formalizing the Ke- pler Conjecturehad been completed [The FlySpeck Project, 2014]. This conjecture (which is now a theorem) explains the optimal way to pack spheres in three dimensional space. The formal proof was carried out using a combination of both the Isabelle and HOL Light proof assistants.

The original proofs of these theorems were controversial when they were first announced. The first proof of the four color theorem, by Ken- neth Appel and Wolfgang Haken, relied on extensive computations of different graph configurations that took over 1000 hours for their computers to complete [Appel, 1984]. Also Thomas Hales’ original proof of the Kepler conjecture, submitted in 1998 to the Annals of Mathematics, was proved with the aid of computer programs written in approxi- mately 40,000 lines of code. The paper and code were reviewed by 12 experts during four years, and the final verdict was that they were only “99% certain” of the correctness of the proof [Avigad and Harri- son, 2014]. Because of this Thomas Hales started the FlySpeck project with the aim of formalizing his proof and removing this last percent of doubt, which now seems to have been achieved [The FlySpeck Project, 2014].

The proof of the odd order theorem of Walter Feit and John Griggs Thompson on the other hand was controversial because of the sheer length of the proof. With its 255 pages it was one of the longest proofs ever submitted to a mathematical journal back in 1963. This theorem is part of the classification theorem of finite simple groups whose fi-

(20)

nal proof now consists of almost ten thousand pages written by many authors over a long period of time [Steingart, 2012]. Jean-Pierre Serre discusses this in an interview from when he was awarded the Abel prize in 2003:

“For years I have been arguing with group theorists who claimed that the “Classification Theorem” was a “theorem”, i.e. had been proved. It had indeed been announced as such in 1980 by Goren- stein, but it was found later that there was a gap (the classification of “quasi-thin” groups). Whenever I asked the specialists, they replied something like: “Oh no, it is not a gap; it is just something which has not been written, but there is an incomplete unpub- lished 800-page manuscript on it.” For me, it was just the same as a “gap”, and I could not understand why it was not acknowl- edged as such.” [Raussen and Skau, 2004]

This kind of reliability issues of very large and complicated mathematical results, that might be understood by only a few experts, is problematic. Another example of such a proof is Andrew Wiles’ proof of Fermat’s Last Theorem where the first version was believed to be correct in 1993, but an error was found and finally corrected two years later in 1995. Because of the complexity of proofs like this, and the shortage of people with enough expertise to asses them, peer-reviewing becomes very time consuming and errors might go unnoticed for a long time.

Formal proofs of these results would increase not only the reliability, but also the efficiency of the peer-reviewing process. The formalizations would, hopefully, also give rise to new mathematical methods and results.

Another motivation behind formalizing mathematics is that it involves carefully representing mathematical concepts and proofs in order to make them suited for implementation on a computer. This way simpler, clearer and more elegant proofs can be obtained. This works the other way around as well: when formalizing a mathematical result the proof assistant, or the underlying logical system, might need to be improved in order to be able to represent mathematics more conveniently, yielding better tools and techniques.

An example of this is the recent developments in type theory, building on connections to abstract homotopy theory, creating a new field called Homotopy Type Theory [Pelayo and Warren, 2014; Univalent Foundations Program, 2013]. This connection was discovered, among others, by Fields medalist Vladimir Voevodsky. From it a new axiom, motivated by models of type theory in simplicial sets, called the univa- lence axiomwas added to type theory. This new foundations of math- ematics is called Univalent foundations and during the 2012–2013 aca- demic year the Institute for Advanced Study in Princeton held a special year devoted to it.

(21)

3. This thesis

3 This thesis

Regardless of the success stories and impressive developments in the interactive theorem proving community during recent years it is hard to imagine programmers and mathematicians starting to prove their programs and theorems correct using a proof assistant on a daily basis.

The main reason for this is that formalization is very time consuming and requires both a lot of training and expertise.

A goal of this thesis is to provide a step in the direction to remedy this. First by studying techniques to formally verify efficient programs and data structures, and then by formalizing constructive algebra. This involves finding good abstractions and suitable proofs to implement libraries of formalized mathematics that can be used for further developments. These together provide a basis for bridging the gap between algorithms and theories implemented in computer algebra systems and proof assistants. This way both the reliability in implementations of algorithms in computer algebra systems and the computational capabilities of proof assistants can be increased.

3.1 Method

The formalizations presented in this thesis has been performed using the Coq proof assistant together with the Small Scale Reflection (SS- Reflect) extension [Gonthier et al., 2008]. This extension was initially developed by Georges Gonthier during the formalization of the four color theorem and has since then been further developed in the Mathe- matical Components(MathComp) Project [Mathematical Components Project, 2014] during the formalization of the Feit-Thompson Theorem.

The extension provides a new tactic language to Coq that is useful for doing “small scale reflection”. The idea of small scale reflection is to use computation to automate small proof steps resulting in a very concise proof style.

The SSReflect/MathComp project also contains a large and well designed library of already formalized mathematical theories, which was developed during the formalization of the Feit-Thompson theorem.

It contains many basic mathematical structures and theories, including an algebraic hierarchy, polynomials, matrices and linear algebra. By using this library we avoid reimplementing these fundamental notions and may start building on what has already been done. From here on we will refer to this library simply as the “MathComp library”.

The main sources of constructive algebra used during the formalizations are the book by Mines, Richman and Ruitenburg [Mines et al., 1988] and the more recent book by Lombardi and Quitt´e [Lombardi and Quitt´e, 2011]. These present modern algebra from a constructive

(22)

point of view, avoiding Noetheriannity whenever possible. The reason for avoiding Noetheriannity is that it is defined by quantification over all ideals, making it a logically complicated notion. By not assuming it more general results, expressed using first-order logic, can be obtained. Because of this, results are effective and have direct computational meaning, which makes them well-suited for formalization in intuitionistic type theory.

Most of the work presented in this thesis has been carried out as part of the European project ForMath – Formalization of Mathematics [The For- Math Project, 2014]. The goal of this project was to develop formally verified libraries of mathematics concerning abstract algebra, linear algebra, real number computation and algebraic topology. These libraries should be designed as software libraries using ideas from software engineering to increase reusability and scalability.

3.2 Formal developments

The formalizations presented in this thesis have resulted in a library of computational algebra called CoqEAL — The Coq Effective Algebra Library. The latest development version can be found at:

https://github.com/CoqEAL/CoqEAL/

The developments are divided into three folders. Thev0.1 folder corresponds to the first version of the CoqEAL library, while therefinements and theory folders correspond to the latest version. Some data, corresponding to the development version of the library at the time of writing, are collected in Table1.1:

Definitions Lemmas Lines of code

v0.1 646 971 14850

refinements 264 243 9048

theory 355 699 9136

total 1265 1913 33034

Table 1.1: Data related to the formal developments

The numbers in the last row should be taken with a grain of salt as many results in thev0.1 folder are reimplemented in the refinements andtheory folders.

Documentation of the formalizations, corresponding to what is presented in the thesis, can be found at:

http://www.cse.chalmers.se/^∼mortberg/thesis/

(23)

4. Program and data refinements

3.3 Structure and organization of the thesis

This thesis is a collection of six papers, divided evenly into two parts.

One part is about program and data refinements, and the other about constructive algebra. The papers have all been slightly modified to fit together in the thesis. However, all papers can still be read separately which means that there is some overlap in terms of notions and notations being defined in different papers. A person who reads the thesis from beginning to end can hence skim over these, while someone who is only interested in the results of one paper can read it without having to jump back and forth.

The rest of this introduction presents overviews of the two parts and the papers contained in them. The main results are summarized and the relationship between the papers detailed.

4 Program and data refinements

This part discusses ways to implement program and data refinements in type theory. These two kinds of refinements can be summarized as:

• Program refinements: Transform a program into a more efficient one computing the same thing using a different algorithm, while preserving the types.

• Data refinements: Change the data representation on which the program operates into a more efficient one, while preserving the involved algorithms.

The first two papers discuss a framework for conveniently expressing these kinds of refinements in Coq. The third paper presents an example of a program refinement of the Sasaki-Murao algorithm [Sasaki and Murao, 1982] for computing the characteristic polynomial of a matrix over any commutative ring in polynomial time.

This part provides the basis of the CoqEAL library and has suc- cessfully been used in a formal proof that ζ(3)is irrational [Mahboubi et al., 2014]. More precisely, it was used to prove a lemma involving computations with rather large rational numbers by refining a unary representation to a binary one and then performing the computations with the more efficient binary representation.

4.1 A refinement-based approach to computational alge-

bra in Coq

The first paper presents a methodology for implementing efficient algebraic algorithms and proving them correct using both program and

(24)

data refinements. This is done by implementing a simple and often inefficient version of the algorithm on rich data types and then refining it to a more efficient version on simple types. The two versions of the algorithms are then linked to each other and the correctness of the translation is formally proved in Coq.

The methodology for doing program and data refinements in the paper can be summarized as:

1. Implement a proof-oriented version of the algorithm using rich (dependent) data types and use the MathComp library to develop theories about them.

2. Refine this algorithm into an efficient computation-oriented one, using the same data types as in 1., and prove that it behaves like the proof-oriented version.

3. Translate the rich data types and the computation-oriented algorithm to computation-oriented data types and prove the correctness of the translation.

By separating the implementation of the algorithm used for proving properties and the one used for computation we achieve what Dijkstra referred to as “the separation of concerns”:

“We know that a program must be correct and we can study it from that viewpoint only; we also know that it should be efficient and we can study its efficiency on another day, so to speak.

[...] But nothing is gained – on the contrary! – by tackling these various aspects simultaneously. It is what I sometimes have called

“the separation of concerns”.” [Dijkstra, 1974]

Using this methodology the paper presents a library of computational structures with four main examples of algorithms from linear and commutative algebra:

• Efficient polynomial multiplication using Karatsuba’s algorithm.

• Greatest common divisor (gcd) of multivariate polynomials.

• Rank computation of matrices with coefficients in a field.

• Efficient matrix multiplication based on Winograd’s version of Strassen’s algorithm.

The second of these, gcd of multivariate polynomials, is especially interesting from the point of view of constructive algebra as the correctness proof neither rely on the field of fractions nor unique factorization as is customary in classical presentations. It is instead based on Gauss’

(25)

4. Program and data refinements

Lemma as in [Knuth, 1981] and the notion of GCD domains [Mines et al., 1988].

This paper was published in the post-proceedings of the 2012 edition of the Interactive Theorem Proving conference. [D´en`es et al., 2012]

4.2 Refinements for free!

The data refinement step of the methodology presented in the first paper was implemented by duplicating both the implementation of the efficient program and the hierarchy of structures on which it operates.

It also restricted which computation-oriented types could be used to types with a subtype isomorphic to the proof-oriented one. This works fine for polynomials or matrices represented using lists, but not for non-normalized rational numbers. This paper resolves these issues and improves the methodology in the first paper by adopting the following approach:

1. Relate a proof-oriented data representation with a more computa- tionally efficient one by an arbitrary heterogeneous relation.

2. Parametrize algorithms and the data on which they operate by an abstract type and its basic operations.

3. Instantiate these algorithms with proof-oriented data types and basic operations, and prove the correctness of that instance.

4. Use parametricity of the algorithm (with respect to the data representation on which it operates), together with points 2. and 3., to deduce that the algorithm instantiated with the more efficient data representation is also correct.

This methodology improves the one presented in the first paper with respect to the following aspects:

1. Generality: it extends to previously unsupported data types, like non-normalized rational numbers.

2. Modularity: each operation is refined in isolation instead of refining whole algebraic structures.

3. Genericity: before, every operation had to be implemented both for the proof-oriented and computation-oriented types, now only one generic implementation is sufficient.

4. Automation: there is now a clearer separation between the different steps of data refinements which makes it possible to use parametricity in order to automate proofs that previously had to be done by hand.

(26)

The last step involves proof automation using parametricity, which makes it the most subtle to implement as there is no internal parametricity in Coq. We chose to implement a proof-search algorithm using type classes [Sozeau and Oury, 2008] that finds the proof that a function is parametric when needed. In a system with internal parametricity, like Type Theory in Color [Bernardy and Moulin, 2013], one would instead get this for free. In practice the implementation works well in many cases, but when it fails the user has to provide the proofs by hand. This is still an improvement compared to the first paper though, as this kind of proofs always had to be given by hand before.

We have ported some of the algorithms of the first paper to the new framework and added new data refinements, in particular sparse polynomials and non-normalized rational numbers. The methodology presented in this paper provides the basis of the current version of the CoqEAL library.

This paper was published in the post-proceedings of the 2013 edition of the Certified Programs and Proofs conference. [Cohen et al., 2013]

4.3 A formal proof of the Sasaki-Murao algorithm

The third paper describes the formalization of a simple polynomial time algorithm for computing the determinant of matrices over any commutative ring. The algorithm is based on Bareiss’ algorithm [Bareiss, 1968], which can be compactly presented using functional programming notations. The algorithm is simple and runs in polynomial time, but the standard proof of correctness involves complicated identities for deter- minants called Sylvester identities [Abdeljaoued and Lombardi, 2004].

In order to conveniently formalize the correctness of this algorithm an alternative proof was found and some of the Sylvester identities then follows as corollaries of it.

The correctness of Bareiss’ algorithm requires that the principal mi- nors of the matrix are regular, that is, that they are not zero divisors.

The Sasaki-Murao algorithm [Sasaki and Murao, 1982] uses an elegant trick to avoid this: apply Bareiss’ algorithm to the matrix used when computing the characteristic polynomial and do the computations in the polynomial ring. This way Bareiss’ algorithm can be applied to any matrix to compute the characteristic polynomial, and from this the determinant easily can be obtained by setting the indeterminate to zero. A benefit of computing in the polynomial ring is that polynomial pseudo- division [Knuth, 1981] may be used. Hence there is no need to assume that the ring has a division operation and the algorithm can be applied to matrices over any commutative ring.

The effective version of the algorithm has been implemented using the approach presented in the first paper. This implementation

(27)

5. Constructive algebra in type theory

required us to combine many of the different parts of the library as the computations are done on matrices of polynomials. The resulting version is a simple and formally verified algorithm for computing the determinant of a matrix using operations like matrix multiplication, polynomial pseudo-division and Horner evaluation of polynomials.

This paper has been published in the Journal of Formalized Reasoning in 2012. [Coquand et al., 2012a]

5 Constructive algebra in type theory

This part discusses the formalization of various structures and results in constructive algebra. Constructive algebra differs from classical algebra by avoiding the law of excluded middle and the axiom of choice.

It is also common not to assume Noetheriannity (i.e. that all ideals are finitely generated) as it is a complicated notion from a constructive point of view [Perdry, 2004]. In fact, many results can be proved constructively in the more general setting without Noetherian assumptions [Lombardi and Quitt´e, 2011].

The first paper in this part is concerned with the formalization of coherent and strongly discrete rings. The next paper then develops the theory of finitely presented modules over these rings and prove that it is a good setting for doing homological algebra. Finally, in the sixth and last paper of the thesis, the formalization of elementary divisor rings is described. These are examples of coherent and strongly discrete rings, which means that we get concrete instances for the theory developed in the first two papers of this part.

5.1 Coherent and strongly discrete rings in type theory

This paper presents the formalization of algebraic structures that are important in constructive algebra: coherent and strongly discrete rings.

Coherent rings can be characterized as rings where any finitely generated ideal is finitely presented, this means that it is possible to solve homogeneous systems of equations over these rings. Further, a ring is strongly discrete if membership in finitely generated ideals is decidable.

If a ring is both coherent and strongly discrete it is not only possible to solve homogeneous systems of equations, but the solution to any (solvable) system can be computed.

These notions are not stressed in classical presentations as one can prove that Noetherian rings are coherent and strongly discrete, however the proof of this relies on classical logic in essential ways. This means that the proof has no computational content, which implies that it is not possible to write a program that extracts a finite presentation

(28)

from a finitely generated ideal over a Noetherian ring. By dropping the Noetherian assumptions and working directly with coherent and strongly discrete rings we not only get more general results, but also proofs with computational content.

Examples of coherent and strongly discrete rings considered in the paper are B´ezout domains (e.g. Z and k[x] where k is a field) and Pr ¨ufer domains (e.g.Z[√

−5]and k[x, y]/(y²+x⁴−1)). These are non- Noetherian analogues to the classical notions of principal ideal domains and Dedekind domains. By proving that these structures are coherent and strongly discrete we obtain formally verified algorithms for solving systems of equations over them.

The methodology of the first paper has been applied in order to develop computational versions of the structures and effective versions of the algorithms. This was complicated as some of the algorithms, especially for Pr ¨ufer domains, are quite involved.

Our main motivation for studying these structures is that coherent and strongly discrete rings are fundamental notions in constructive algebra [Mines et al., 1988] that can be used as a basis for developing computational homological algebra as in the Homalg system [Barakat and Lange-Hegermann, 2011;Barakat and Robertz, 2008].

This paper was published in the post-proceedings of the 2012 edition of the Certified Programs and Proofs conference. [Coquand et al., 2012b]

5.2 A Coq formalization of finitely presented modules

This paper is about formalizing the module theory of coherent and strongly discrete rings. The concept of a module over a ring is a general- ization of the notion of a vector space over a field, where the scalars are elements of an arbitrary ring. We restrict to finitely presented modules as these can be concretely represented using matrices. More precisely, an R-module Mis finitely presented if it can be represented using a finite set of generators and a finite set of relations between these. This means that they can be compactly described by an exact sequence:

R^m¹ ^M R^m⁰ ^π M 0

Here π is a surjection and M a matrix representing the m1 relations among the m0 generators of the module M. A morphism between finitely presented modules,MandN, is given by the following commutative diagram:

R^m¹ R^m⁰ M 0

Rⁿ¹ Rⁿ⁰ N 0

M

ϕR ϕG ϕ

N

(29)

5. Constructive algebra in type theory

This means that morphisms between finitely presented modules can be represented using matrices as well. All operations can then be defined by manipulating these matrices. By assuming that the underlying ring is coherent and strongly discrete we can represent morphisms using only one matrix and a proof that the other matrix can be computed from this. We also get algorithms for computing the kernel and cokernel of morphisms. Using this we have verified that finitely presented modules over coherent and strongly discrete rings form an abelian category, which means that they are a good setting for developing homological algebra.

It is in general not possible, even if the ring is coherent and strongly discrete, to decide whether two finitely presented modules are isomorphic or not. However when working with Z-modules, or more gen- erally R-modules over rings where there is an algorithm computing the Smith normal form of any matrix, this is possible. The next paper discusses a class of rings with this property, called elementary divisor rings in [Kaplansky, 1949], and provides new concrete instances of coherent and strongly discrete rings. This can hence be combined with the theory developed in this paper for formalizing computational homological algebra.

This paper was published in the post-proceedings of the 2014 edition of the Interactive Theorem Proving conference. [Cohen and M¨ortberg, 2014]

5.3 Formalized linear algebra over elementary divisor

rings in Coq

An integral domain is called an elementary divisor ring if any matrix is equivalent to a matrix in Smith normal form:







d1 0 · · · 0

. .. ...

0 dk 0 · · · 0

... 0 0 ...

... ... . .. ...

0 · · · 0 · · · 0







where d_i |d_i+1for all i. This means that given M we should be able to compute invertible matrices P and Q such that PMQ = D where D is in Smith normal form.

By developing the theory of linear algebra over these rings we can prove that they are coherent. It is also easy to show that any elementary divisor ring is a B´ezout domain and hence strongly discrete using the

(30)

theory developed in the fourth paper. We hence get that elementary divisor rings form interesting instances for our work on finitely presented modules.

Finitely presented modules over elementary divisor rings are especially well-behaved because any module is isomorphic to a direct sum of a free module and cyclic modules in a unique way. The proof of this can be seen as a constructive version of the classification theorem for finitely generated modules over principal ideal domains. We have formalized this theorem and from it we get an algorithm for decid- ing if two finitely presented modules over elementary divisor rings are isomorphic or not.

It is a well-known classical result that principal ideal domains (i.e.

integral domains where every ideal is principal) are elementary divisor rings. But, as pointed out earlier, we want to avoid Noetherian hypothe- ses in constructive algebra. However, the problem whether any B´ezout domain is an elementary divisor ring is still open [Lorenzini, 2012]. So instead we start by giving a concrete implementation of an algorithm for computing the Smith normal form of matrices with coefficients in a Euclidean domain. It is straightforward to generalize this to constructive principal ideal domains, defined as B´ezout domains where strict divisibility is well-founded.

We have also formalized a reduction, due to Kaplansky [Kaplan- sky, 1949], that reduces the problem of proving that a B´ezout domain is an elementary divisor ring to proving that it satisfies a first-order condition called the “Kaplansky condition”. Using this we prove that B´ezout domains extended with one of the following assumptions are elementary divisor rings:

1. Adequacy (i.e. the existence of a gdco operation) [Helmer, 1943].

2. Constructive Krull dimension≤1 [Lombardi and Quitt´e, 2011].

3. Well-founded strict divisibility (constructive principal ideal domains).

The first one of these is the most general while the other two imply it.

This hence gives an alternative proof that constructive principal ideal domains are elementary divisor rings. This proof also shows that while it may not be possible to just drop the Noetherian assumption alto- gether, it can sometimes be replaced by some first-order condition, in this case either constructive Krull dimension≤1, adequacy or the Ka- plansky condition.

This paper is currently under submission. [Cano et al., 2014]

(31)

Part I

Program and Data

Refinements

(32)

(33)

1

A Refinement-Based

Approach to

Computational Algebra in

Coq

Maxime Dénès, Anders M örtberg and Vincent Siles

Abstract. We describe a step-by-step approach to the implementation and formal verification of efficient algebraic algorithms. Formal specifications are expressed on rich data types which are suitable for deriving essential theoretical properties. These specifications are then refined to concrete implementations on more efficient data structures and linked to their proof-oriented counterparts. We illustrate this methodology on key applications: matrix rank computation, Strassen’s fast matrix product, Karat- suba’s polynomial multiplication, and the gcd of multivariate polynomials.

Keywords. Formalization of mathematics, Computer algebra, Efficient algebraic algorithms, Coq, SSReflect.

1.1 Introduction

In the past decade, the range of application of proof assistants has extended its traditional ground in theoretical computer science to main-

(34)

stream mathematics. Formalized proofs of important theorems like the fundamental theorem of algebra [Barendregt et al., 2014], the four color theorem [Gonthier, 2005, 2008] and the Jordan curve theorem [Hales, 2007] have advertised the use of proof assistants in mathematical ac- tivity, even in cases when the pen and paper approach was no longer tractable.

But since these results established proofs of concept, more effort has been put into designing an actually scalable library of formalized mathematics. The Mathematical Components project (developing the Math- Comp library) uses the small scale reflection extension (SSReflect) for the Coq proof assistant to achieve a nearly comparable level of detail to usual mathematics on paper, even for advanced theories like the proof of the Feit-Thompson theorem [Gonthier et al., 2013]. In this approach, the user expresses significant deductive steps while low-level details are taken care of by small computational steps, at least when properties are decidable. Such an approach makes the proof style closer to usual mathematics.

One of the main features of these libraries is that they heavily rely on rich dependent types, which gives the opportunity to encode a lot of information directly into the type of objects: for instance, the type of matrices embeds their size, which makes operations like multiplication easy to implement. Also, algorithms on these objects are simple enough so that their correctness can easily be derived from the definition. How- ever in practice, most efficient algorithms in modern computer algebra systems do not rely on dependent types and do not provide any proof of correctness. We show in this paper how to use this rich mathematical framework to develop efficient computer algebra programs with proofs of correctness. This is a step towards closing the gap between proof assistants and computer algebra systems.

The methodology we suggest for achieving this is the following: we are able to prove the correctness of some mathematical algorithms having all the high-level theory at our disposal and we then refine them to an implementation on simpler data structures that will be actually running on machines. In short, we aim at formally linking convenient high-level properties to efficient low-level implementations, ensuring safety of the whole approach while enjoying better performance thanks to the separation of proofs and computational content.

In the next section, we describe the methodology of refinements. Then, we give two examples of such refinements for matrices in section1.3, and polynomials in section 1.4. In section 1.5, we give a solution to unify both examples by describing CoqEAL — The Coq Effective Al- gebra Library. This is a library built using the methodology presented in this paper on top of the MathComp libraries.

(35)

1.2. Refinements

1.2 Refinements

Refinements are commonly used to describe successive steps when verifying a program. Typically, a specification is expressed in Hoare logic [Hoare, 1969], then the program is described in a high-level language and finally implemented in C. Each step is proved correct with respect to the previous one. By using several formalisms, one has to trust every translation step or prove them correct in yet another formalism.

Our approach is similar: we refine the definition of a concept to an efficient algorithm described on high-level data structures. Then, we implement it on data structures that are closer to machine representations, once we no longer need rich theory to prove the correctness.

However, in our approach, all of the layers can be expressed in the same formalism (the Calculus of Inductive Constructions), though they do not use exactly the same features. On one hand, the high-level layers use rich dependent types that are very useful when describing theories because they allow abuse of notations and concise statements which quickly become necessary when working with advanced mathematics. On the other hand, the efficient implementations use simple types, which are closer to standard implementations in traditional programming languages. The main advantage of this approach is that the correctness of translations can easily be expressed in the formalism itself, and we do not rely on any additional external proofs.

The implementation is an immediate translation of the algorithm in Figure1.1:

Proof-oriented definitions

Algorithmic refinement

Efficient Implementation Correctness proof

Morphism lemma

Figure 1.1: The three steps of refinement

In the next sections, we are going to use the following methodology to build efficient algorithms from high-level descriptions:

(36)

1. Implement a proof-oriented version of the algorithm using Math- Comp structures and use the libraries to prove properties about them.

2. Refine this algorithm into an efficient one still using MathComp structures and prove that it behaves like the proof-oriented version.

3. Translate the MathComp structures and the efficient algorithm to the low-level data types, ensuring that they will perform the same operations as their high-level counterparts.

The first two points uses the full power of dependent types to develop the theory and proving the correctness of the refinements while the third only uses simple types suitable for computation.

1.3 Matrices

Linear algebra is a natural first test-case to validate our approach, as a pervasive and inherently computational area of mathematics, which is well covered by the MathComp library [Gonthier, 2011]. In this section, we will detail the (quite simple) data structure we use to represent matrices and then review two fundamental examples: rank computation and efficient matrix product.

1.3.1 Representation

Matrices are represented by finite functions over pairs of ordinals (the indices):

(* 'I_n *)

Inductive ordinal (n : nat) := Ordinal m of m < n.

(* 'M[R]_(m,n) = matrix R m n *) (* 'rV[R]_m = 'M[R]_(1,m) *) (* 'cV[R]_m = 'M[R]_(m,1) *)

Inductive matrix R m n := Matrix of {ffun 'I_m * 'I_n -> R}.

This encoding makes many properties easy to derive, but it is inefficient for evaluation. Indeed, a finite function over'I_m * 'I_n is internally represented as a flat list ofm×n values which has to be traversed whenever the function is evaluated. Moreover, having the size of matrices encoded in their type allows to state concise lemmas without explicit side conditions, but it is not always flexible enough when getting closer to machine-level implementation details.

(37)

1.3. Matrices

To be able to implement efficient matrix operations we introduce a low-level data type seqmatrix representing matrices as lists of lists.

Such a matrix is built from a dependently typed one by mapping canon- ical enumerations (given by theenum function) of ordinals to the corresponding coefficients in the dependently typed matrix:

Definition seqmx_of_mx (M : 'M[R]_(m,n)) : seqmatrix :=

[seq [seq M i j | j <- enum 'I_n] | i <- enum 'I_m].

To ensure the correct behavior of list based matrices it is sufficient to prove thatseqmx_of_mx is injective:

Lemma seqmx_eqP (M N : 'M[R]_(m,n)) :

reflect (M = N) (seqmx_of_mx M == seqmx_of_mx N).

The== symbol denotes boolean equality defined using the underlying equality on R. Operations like addition are straightforward to implement, and their correctness is expressed through a morphism lemma, stating that the list based representation of the sum of two dependently typed matrices is the sum of their representations as lists:

Definition addseqmx (M N : seqmatrix) : seqmatrix :=

zipwith (zipwith (fun x y => add x y)) M N.

Lemma addseqmxE :

{morph seqmx_of_mx : M N / M + N >-> addseqmx M N}.

Heremorph is notation meaning that seqmx_of_mx is an additive morphism from dependently types to list based matrices. It is worth noting that we could have stated all our morphism lemmas with the converse operator (from list based matrices to dependently typed ones). But these lemmas would then have been quantified over lists of lists, with poorer types, which would have required a well-formedness predicate as well as premises expressing size constraints. The way we have cho- sen takes full advantage of the information carried by the richer types.

Like the addseqmx operation, we have developed list based implementations of most of the matrix operations in the MathComp library and proved the corresponding morphism lemmas. Among these operations we can cite: subtraction, scaling, transpose and block operations.

1.3.2 Computing the rank

Now that the basic data structure and operations have been defined, it is possible to apply our approach to an algorithm based on Gaussian elimination which computes the rank of a matrix A= (a_i,j)over a field K. We first specify the algorithm using dependently typed matrices and then refine it to the low-level structures.

(38)

An elimination step consists of finding a nonzero pivot in the first column of A. If there is none, it is possible to drop the first column without changing the rank. Otherwise, there is an index i such that a_i,16=0. By linear combinations of rows (preserving the rank) A can be transformed into the following matrix B:







0 a1,2−^a^1,1_a^×a^i,2

i,1 · · · a1,n− ^a^1,1_a^×a^i,n

i,1

0 ... ...

ai,1 ai,2 · · · ai,n

0 ... ...

0 a_n,2−^a^n,1_a^×a^i,2

i,1 · · · an,n− ^a^n,1_a^×a^i,n

i,1







=





 0

R1

... 0

ai,1 · · · ai,n

0

R₂ ...

0







Let R=

R1

R2

, since a_i,1 6= 0, this means that rank(A) =rank(B) = 1+_rank(_R). Hence the current rank can be incremented and the algorithm can be recursively applied on R.

In our development we defined a functionelim_step returning the matrix R above and a boolean b indicating if a pivot has been found.

A wrapper functionrank_elim is in charge of maintaining the current rank and performing the recursive call on R:

Fixpoint rank_elim (m n : nat) : 'M[K]_(m,n) -> nat :=

match n return 'M[K]_(m,n) -> nat with

| q.+1 => fun M =>

let (R,b) := elim_step M in (rank_elim R + b)%N

| _ => fun _ => 0%N end.

Note that booleans are coerced to natural numbers: b is interpreted as 1 if true and 0 if false. The correctness of rank_elim is expressed by relating it to the\rank function of the MathComp library:

Lemma rank_elimP n m (M : 'M[K]_(m,n)) : rank_elim M = \rank M.

The proof of this specification relies on a key invariant of elim_step, relating the ranks of the input and output matrices:

Lemma elim_step_rank m n (M : 'M[K]_(m, 1 + n)) :

let (R,b) := elim_step M in \rank M = (\rank R + b)%N.

Now the proof of rank_elimP follows by induction on n. The computation oriented version of this algorithm is a direct translation of the algorithm using only list based matrices and operations on them.

This simply typed version (called rank_elim_seqmx) is then linked to rank_elim by the lemma: